CVE-2023-26211 - Vulnerability Details - OpenCVE

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00254.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortisoar

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortisoar::::::::
	cpe:2.3:a:fortinet:fortisoar:7.4.0:::::::*

No data.

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-23-088

History

Thu, 22 Aug 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortinet Fortinet fortisoar
CPEs		cpe:2.3:a:fortinet:fortisoar:::::::: cpe:2.3:a:fortinet:fortisoar:7.4.0:::::::*
Vendors & Products		Fortinet Fortinet fortisoar

Tue, 13 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
Description		An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module.
Weaknesses		CWE-79
References		https://fortiguard.com/psirt/FG-IR-23-088
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2024-08-13T15:51:56.864Z

Updated: 2024-08-13T16:00:04.582Z

Reserved: 2023-02-20T15:09:20.637Z

Link: CVE-2023-26211

Vulnrichment

Updated: 2024-08-13T15:59:56.488Z

NVD

Status : Analyzed

Published: 2024-08-13T16:15:08.220

Modified: 2024-08-22T14:33:54.453

Link: CVE-2023-26211

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26211", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-02-20T15:09:20.637Z", "datePublished": "2024-08-13T15:51:56.864Z", "dateUpdated": "2024-08-13T16:00:04.582Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSOAR", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.3.0", "lessThanOrEqual": "7.3.2", "status": "affected"}, {"versionType": "semver", "version": "7.2.0", "lessThanOrEqual": "7.2.2", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "status": "affected"}, {"versionType": "semver", "version": "6.4.3", "lessThanOrEqual": "6.4.4", "status": "affected"}, {"versionType": "semver", "version": "6.4.0", "lessThanOrEqual": "6.4.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-08-13T15:51:56.864Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiSOAR version 7.5.0 or above \nPlease upgrade to FortiSOAR version 7.4.1 or above \nPlease upgrade to FortiSOAR version 7.3.3 or above"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-23-088", "url": "https://fortiguard.com/psirt/FG-IR-23-088"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-13T15:59:48.473867Z", "id": "CVE-2023-26211", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T16:00:04.582Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26211", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-13T15:59:48.473867Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T15:59:56.488Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fortinet", "product": "FortiSOAR", "versions": [{"status": "affected", "version": "7.3.0", "versionType": "semver", "lessThanOrEqual": "7.3.2"}, {"status": "affected", "version": "7.2.0", "versionType": "semver", "lessThanOrEqual": "7.2.2"}, {"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.3"}, {"status": "affected", "version": "6.4.3", "versionType": "semver", "lessThanOrEqual": "6.4.4"}, {"status": "affected", "version": "6.4.0", "versionType": "semver", "lessThanOrEqual": "6.4.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiSOAR version 7.5.0 or above \nPlease upgrade to FortiSOAR version 7.4.1 or above \nPlease upgrade to FortiSOAR version 7.3.3 or above"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-23-088", "name": "https://fortiguard.com/psirt/FG-IR-23-088"}], "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-08-13T15:51:56.864Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26211", "state": "PUBLISHED", "dateUpdated": "2024-08-13T16:00:04.582Z", "dateReserved": "2023-02-20T15:09:20.637Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2024-08-13T15:51:56.864Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:*", "matchCriteriaId": "3ECE9A3F-7C5F-4A34-ABB2-CD4E1997CE0E", "versionEndExcluding": "7.3.3", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortisoar:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C3F0E60-3285-43B0-83CD-98A0D5445114", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module."}, {"lang": "es", "value": "Una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\"cross-site scripting\") en Fortinet FortiSOAR 7.3.0 a 7.3.2 permite a un atacante remoto autenticado inyectar scripts web o HTML arbitrarios a trav\u00e9s del m\u00f3dulo de Comunicaciones."}], "id": "CVE-2023-26211", "lastModified": "2024-08-22T14:33:54.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2024-08-13T16:15:08.220", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-23-088"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@fortinet.com", "type": "Primary"}]}